Access Control Lists in Debian Lenny
- by arbales
So, for my clients to who have sites hosted on my server, I create user accounts, with standard home folders inside /home.
I setup an SSH jail for all the collective users, because I really am against using a separate FTP server. Then, I installed ACL and added acl to my /etc/fstab — all good.
I cd into /home and chmod 700 ./*.
At this point users cannot see into other users home directories (yay), but apache can't see them either (boo)
. I ran setfacl u:www-data:rx ./*. I also tried individual directories.
Now apache can see the sites again, but so can all the users. ACL changed the permissions of the home folders to 750.
How do I setup ACL's so that Apache can see the sites hosted in user's home folders AND 2. Users can't see outside their home and into others' files.
Edit: more details:
Output after chmod -R 700 ./*
sh-3.2# chmod 700 ./*
sh-3.2# ls -l
total 72
drwx------+ 24 austin austin 4096 Jul 31 06:13 austin
drwx------+ 8 jeremy collective 4096 Aug 3 03:22 jeremy
drwx------+ 12 josh collective 4096 Jul 26 02:40 josh
drwx------+ 8 joyce collective 4096 Jun 30 06:32 joyce
(Not accessible to others users OR apache)
setfacl -m u:www-data:rx jeremy
(Now accessible to members apache and collective — why collective, too?)
sh-3.2# getfacl jeremy
# file: jeremy
# owner: jeremy
# group: collective
user::rwx
user:www-data:r-x
group::r-x
mask::r-x
other::---
Solution
Ultimately what I did was:
chmod 755 *
setfacl -R -m g::--- *
setfacl -R -m u:www-data:rx *